Redirect to /admin (not host root) after successful SSO sign-in

OmniauthCallbacksController previously relied on Devise's default
`after_sign_in_path_for`, which falls back to the host app's `/`
route. Hosts without a `root` defined hit a routing error; hosts
that do define one (e.g. Rails' welcome page) land somewhere they
don't want to be.

Override `after_sign_in_path_for` to return `/admin` directly, so
the gem keeps working for any ActiveAdmin host without assuming a
root route. Honours `stored_location_for` for deep-link returns.

Also drop the `root to: redirect("/admin")` line from the dummy app
routes — the request spec would previously pass either way because
`/` forwarded to `/admin`. The tighter assertion (response.location
path == "/admin") would have been a false green there.

Author: Fivell

app/controllers/active_admin/oidc/devise/omniauth_callbacks_controller.rb

@@ -45,6 +45,18 @@ def failure
           flash[:alert] = ActiveAdmin::Oidc.config.access_denied_message
           redirect_to after_omniauth_failure_path_for(resource_name)
         end
+
+        private
+
+        # Land on the ActiveAdmin namespace root after a successful SSO
+        # sign-in instead of Devise's default (host app root). Hosts
+        # that don't define a `/` route would otherwise hit a routing
+        # error immediately after login, and even when `/` does exist
+        # it's rarely what an admin user wants to see. ActiveAdmin
+        # always mounts at `/admin`, so we go there directly.
+        def after_sign_in_path_for(resource)
+          stored_location_for(resource) || "/admin"
+        end
       end
     end
   end

spec/dummy/config/routes.rb

@@ -3,5 +3,9 @@
 Rails.application.routes.draw do
   devise_for :admin_users, ActiveAdmin::Devise.config
   ActiveAdmin.routes(self)
-  root to: redirect("/admin")
+  # Intentionally no `root` route. The gem's OmniauthCallbacksController
+  # must redirect into the ActiveAdmin namespace directly — not rely on
+  # the host app to supply a `/` route. If the redirect regresses to
+  # Devise's default, these request specs will break with a missing
+  # route error, which is exactly what we want.
 end

spec/requests/omniauth_callback_spec.rb

@@ -57,9 +57,18 @@ def trigger_callback
       expect(user.email).to eq("new@example.com")
       expect(user.oidc_raw_info).to include("sub" => "sub-new", "email" => "new@example.com")
 
-      # Devise's default is the app root; the dummy app redirects `/` to /admin.
       expect(response).to be_redirect
-      expect(response.location).to match(%r{\Ahttps?://[^/]+/(\z|admin)})
+    end
+
+    it "redirects directly to the ActiveAdmin namespace root, not the host app's /" do
+      OmniAuth.config.mock_auth[:oidc] =
+        build_auth_hash(uid: "sub-new", email: "new@example.com")
+
+      post "/admin/auth/oidc"
+      follow_redirect! # OmniAuth request phase -> callback
+      # `response` is now whatever the callbacks controller redirected to.
+      expect(response).to be_redirect
+      expect(URI(response.location).path).to eq("/admin")
     end
   end